Ensuring the security of information does not entail securing the servers and the network only. Physical security of the organization is paramount in ensuring the IT security. When I got to the company, it did not have proper physical security measures for its equipments.
Employees could access the server room at their pleasure. This compromised the security as some employees could alter the server content or even delete some information from the server. To start with, I requested for the introduction of a system where the server room was to be always locked and the access to the room regulated. Only the server administrator was to have the authority to access the server room.
As the company was using wireless technology, I realized that there was possibility of rogue wireless devices that were accessing the company’s network leading to denial of services in the company. As a result, I proposed that we could monitor the enterprises network to see that we have eliminated these hackers.
To achieve this, I had to first weigh on some of the available means to ensure that the company incurs the minimum cost possible. The use of mobile clients and dedicated sensor nodes proved expensive to the company making me to look for other available alternatives.
I opted to use the knowledge I had acquired on the information security. I decided to use the available desk top machines as well as the Central Processing Unit (CPU) and disk resources. I requested for the purchase of USB-based wireless adapters which I attached to the desktop machines and used the adapters to monitor the wireless network.
This helped in controlling rogue devices significantly and the company did not incur a great cost in installing it.
Together with my coworkers, we came up with the company’s security policies and guidelines where one of the workers took the initiative to educate us on how to follow them. We learnt that most of the employees could log into the company’s system and leave without signing out.
This made the system susceptible to access by unauthorized persons. We learnt the need of ensuring that we have logged out every time we access the company’s system. The employees also posed security problems with some accessing other employee’s computers and altering their information. To curb this, I taught them how to ensure that no one access their shared files without their notice by assigning password to guest account.
Through this no one could be able to access the files of others even if they are shared without being given permission to do so by the owners. I also explained to them on the need of enabling the internet connection firewall to avoid their information being tampered with. Most of the staffs were not aware of presence of built-in firewall facility in their systems and those who knew, did not know that there is need to activate it.
I encouraged them on using 3rd-party firewall such as ZoneAlarm as this would monitor both inbound and outbound traffic. This helped in situations where virus or Trojan on their systems attempted to initiate unauthorized or malicious network activities out from their computers.
As most of the criminals have targeted the web servers of organizations, I realized that our company was not an exception and so something needed to be done earlier than later. Securing the web server required specialist expertise which at that moment I could not claim to be having.
I embarked on studying books that explained on how to ensure web server security and within no time I had stated working on the same for our company’s server. I started with making sure that all unnecessary services were removed in the server.
The more services are running in an operating system, the more ports will be left making it possible for malicious users to abuse. To avoid this, it is necessary to close all processes that are not in use so that they are not run automatically after rebooting the server. I also incorporated tunneling, encryption protocols and security tokens in the system to facilitate secure remote access to the web server by the server administrator.
I also made sure that I had placed the website files and scripts on a separate drive from that of the operating system. This is because the information would help hackers who access the web root directory in exploiting other vulnerabilities hence gaining access to the data in the web sever.
I was always up to date with the best practice in today’s security issues and using the best possible security measures. When I got to the company, phishing was a major security threat with the staffs. Many staffs had been lured to providing their personal information without knowing that they were giving it to frauders.
This had cost them dearly where some had been fired for disclosing the company’s information to competitors. I advised them not to ever click on any link to a message that pop up on their screens as this would make them more vulnerable to frauders. Also there was need of informing the company manager if they happen to have disclosed any information for measures to be taken in advance.